How to Control Permissions for the Contact Form 7 Plugin
Contact Form 7 is one of the most popular plugins in the WordPress world. However, it is a fairly basic plugin that lacks some key features such as access control.
In this guide, I'll show you how to control access to Contact Form 7 features. We'll use the PublishPress Capabilities plugin. If you want to take this tutorial a step further, check out how to control access to Contact Form 7 admin menus.
Getting started with Contact Form 7 permissions
By default, almost all WordPress users can access the list of forms in Contact Form 7. The only exception are “Subscriber” users who can't see any forms.
This image below shows what a “Contributor” user will see. They can see all the forms on the site.

However, only Administrators and Editors can edit the forms. This next image shows what a Contributor will see if they try to edit a message: “You are not allowed to edit this contact form.”

This table has a rundown of the default permissions for Contact Form 7:
WordPress user role | Can see the list of forms | Can edit the forms |
---|---|---|
Subscriber | No | No |
Contributor | Yes | No |
Author | Yes | No |
Editor | Yes | Yes |
Administrator | Yes | Yes |
Understanding the default permissions for Contact Form 7
Contact Form 7 does have slightly confusing system for managing permissions, so please read this next part carefully.
Technically, Contact Form 7 does provide several capabilities. You'll find these in the /includes/capabilities.php
file.
- wpcf7_edit_contact_form
- wpcf7_edit_contact_forms
- wpcf7_read_contact_form
- wpcf7_read_contact_forms
- wpcf7_delete_contact_form
- wpcf7_delete_contact_forms
- wpcf7_manage_integration
- wpcf7_submit
However, those capabilities are not directly useable. This is because these capabilities are mapped onto default WordPress permissions. You'll find this in the /includes/contact-form.php
file.
'edit_post' => 'wpcf7_edit_contact_form',
'read_post' => 'wpcf7_read_contact_form',
'delete_post' => 'wpcf7_delete_contact_form',
'edit_posts' => 'wpcf7_edit_contact_forms',
'edit_others_posts' => 'wpcf7_edit_contact_forms',
'publish_posts' => 'wpcf7_edit_contact_forms',
'read_private_posts' => 'wpcf7_edit_contact_forms',
However, there's also this in the wp-contact-form-7.php
file:
if ( ! defined( 'WPCF7_ADMIN_READ_CAPABILITY' ) ) {
define( 'WPCF7_ADMIN_READ_CAPABILITY', 'edit_posts' );
}
if ( ! defined( 'WPCF7_ADMIN_READ_WRITE_CAPABILITY' ) ) {
define( 'WPCF7_ADMIN_READ_WRITE_CAPABILITY', 'publish_pages' );
So what you see here is a list of the permissions that really control access to Contact Form 7. These are the normal edit, publish and delete permissions for WordPress posts and pages.
How to change Contact Form 7 permissions
You can change the default permissions with the PublishPress Capabilities plugin.
- After installing, go to “Capabilities” in your WordPress admin menu.
- In the top-left corner, choose the role you want to edit.
- Use
edit_posts
to allow users to edit forms. - Use
publish_pages
to allow users to create new forms.
So these two permissions below will give users almost complete access to Contact Form 7:

More advanced Contact Form 7 permission changes
The solution above is not ideal for every site. For example, you may not want a user to edit posts and also contact forms. That is what will happen if you give them the edit_posts
capability.
So a more advanced approach is to create your own permissions, based on the Contact Form 7 defaults. Add these to your theme's functions.php file. You can name the new permissions anything you want but I've chosen this format: edit_contactform7
and read_contactform7
.
add_filter('wpcf7_map_meta_cap', 'new_contactform7_capabilities',10,1);
function new_contactform7_capabilities($meta_caps) {
$meta_caps = array(
'wpcf7_edit_contact_form' => 'edit_contactform7',
'wpcf7_edit_contact_forms' => 'edit_contactform7',
'wpcf7_read_contact_forms' => 'read_contactform7',
'wpcf7_delete_contact_form' => 'delete_contactform7',
'wpcf7_manage_integration' => 'manage_contactform7' );
return $meta_caps;
}
- Now go to PublishPress Capabilities in your site.
- Enter these new options into the “Add Capability” box and click “Add to role”.

You can now give these permissions to the user role you choose:

I gave those three permissions to the “Contributor” role. I now have a very limited user role that does have full access to Contact Form 7's features:

Finally, if you want to go in the opposite direction and remove Contact Form 7 access from some users, check out this tutorial.
Summary of Contact Form 7 permissions
I hope this guide to Contact Form 7 was useful. Yes, this plugin is a little confusing, but the PublishPress Capabilities plugin can help you with any permissions set up that you need.
Also check out our guide to permissions for the Flamingo plugin which helps you store Contact Form 7 messages. There's also a guide available for Gravity Forms permissions.
You might find other PublishPress guides useful including our introduction to bbPress roles and capabilities, plus tutorials on restricting user access in Beaver Builder and Elementor.
If you use the Gutenberg editor, check out how to add contact forms in Gutenberg.
Great article, thanks a lot.
Just followed the process and it worked as expected.